EEOC ASSESSMENT SYSTEM (EAS)
PRIVACY IMPACT ASSESSMENT

The following laws and regulations establish specific requirements for the confidentiality, integrity, and availability of the data processed, stored, and transmitted by the EEOC Assessment System (EAS):

Computer Fraud and Abuse Act of 1984
Federal Information Security Management Act of 2002
OMB February 1996 Circular A-130, Appendix III
Paperwork Reduction Act of 1980
Privacy Act of 1974
Title VII of the Civil Rights Act of 1964
Equal Pay Act of 1963
Age Discrimination in Employment Act of 1967
Title I and Title V of the Americans with Disabilities Act of 1990
EEOC Order 240.005, EEOC Information Security Program
Information Security Responsibilities of EEOC Employees
EEOC Order 150.003, Privacy Act of 1974, As Amended

Public laws and regulations applicable to all federal agencies

The individualís right to privacy must be protected in Federal Government information activities involving personal information. This assessment addresses the privacy impact of the EEOC Assessment System.

Data in the System

1. Generally describe the information to be used in the system in each of the following categories: Complainant, Company, EEOC Employee, Other.

The EAS is designed* to allow a member of the public to make an initial assessment of whether the EEOC may be the appropriate agency to assist in addressing a perceived instance of discrimination. A decision tree structure, encapsulating jurisdictional information defined by statute and regulation, guides the user through a set of questions and selections to assist in determining high-level EEOC jurisdiction. If the user chooses to pursue the matter, the user may submit an electronic form to EEOC which includes contact information for the complainant and company, along with particulars of the complaint.

*Note: Currently, the EAS is only in use through EEOCís National Contact Center and is not yet directly available to the public.

2. What are the sources of the information in the system?

The decision tree structure is defined by jurisdictional definitions originating in statute and regulation. Questionnaire information is currently entered by EEOC National Contact Center (NCC) customer service representatives who walk the caller through the assessment and then, upon request, submit the electronic form to EEOC on the callerís behalf. Future use will allow the public to directly access the system and over the Internet.

2.1. What EEOC files and databases are used?

If the user decides not to proceed with completion of the electronic from for submission to EEOC, no data is stored. If the user elects to complete the electronic form, the information cited in question number 1 is stored, along with key data from the assessment process, in a secure EEOC database maintained at the Department of Interior, National Business Center. If the user decides to "submit" the information to EEOC for follow-up, the data is downloaded to a secure EEOC database maintained at EEOC. Upon validation of the data by an EEOC employee, the data may be entered into the EEOC Integrated Mission System (IMS) for tracking as a formal inquiry.

2.2. What Federal Agencies are providing data for use in the system?

None.

2.3. What State and Local Agencies are providing data for use in the system?

None.

2.4. What other third party sources will data be collected from?

None.

2.5. What information will be collected from the complainant or company?

The user (complainant) provides identifying and contact information for the complainant and company, along with particulars of the complaint and the basis for belief that the action was discriminatory.

3. How will data collected from sources other than EEOC records and the complainant or company be verified for accuracy?

All data is provided by the complainant through indirect entry by a NCC customer service representative on behalf of the complainant. Future use will allow direct entry of data by the public. Data is verified by an EEOC employee through direct communication with the complainant, as a part of the follow-up process.

3.1. How will data be checked for completeness?

The electronic form can only be submitted if all of the required fields are completed.

3.2. Is the data current? How do you know?

Once the data is submitted for processing, it will be forwarded electronically to an EEOC office for follow-up. The follow-up/verification process may take up to two weeks from the date of submission. In addition, data can be stored for up to 14 days, without submission.

4. Are the data elements described in detail and documented? If yes, what is the name of the document?

The data elements are described and documented within the on-line questionnaire, which is accessible via the EAS. The questionnaire may be printed by the user.

5. How will the data be used by the agency? Who is responsible for assuring proper use of the data?

The EAS will provide the public with an alternative mechanism for initiating contact with the Commission regarding a potential charge of employment discrimination. As such, the information will be used in much the same way as that obtained via traditional means such as telephone, mail, in-person visit, etc. The information serves as the basis or starting point for an interview with an intake officer regarding the potential filing of a charge. EEOC staffs are responsible for assuring proper use of the data, which is enforced by EEOC policies and laws.

Access to the Data

6. Who will have access to the data in the system (Users, Managers, System Administrators, Developers, Other)?

If the user elects to save the information, without submitting it to an EEOC office for follow-up, the user will have access to their individual record for a period of up to 14 days (via login/password control). Once submitted to the EEOC, the user no longer has access to the record. Once submitted, only EEOC staff with a login/password to the EAS will have access to the information.

7. How is access to the data by a user determined? Are criteria, procedures, controls, and responsibilities regarding access documented?

If the end-user chooses to save the information without submitting it to the EEOC, the user is provided with a system generated secure ID and password combination. This login/password is valid for 14 days. EEOC staff are granted access to the EAS based on business need, which is determined by an EEOC Office Director. Access controls are documented in a system security plan.

8. Will users have access to all data on the system or will the usersí access be restricted?

End-user (complainant) access is restricted to their personal questionnaire information. EEOC field office staff access is restricted to questionnaires submitted to their particular office (read only mode for questionnaire data). Headquarters office staffs have nationwide access (read only mode for questionnaire data).

9. What controls are in place to prevent the misuse (e.g. browsing) of data by those having access?

End-user (complainant) access is restricted to their personal questionnaire information. Access by EEOC employees is governed by security policies and business requirements.

10. Do other systems share data or have access to data in this system? If yes, explain. Who will be responsible for protecting the privacy rights of the taxpayers and employees affected by the interface?

Upon verification, information within the EAS will entered into EEOC's Integrated Mission System (IMS) for formal tracking of the potential charge of employment discrimination. Privacy rights are enforced by EEOC policies and laws. No other sharing or access mechanisms are available.

11. Will other agencies share data or have access to data in this system (International, Federal, State, Local, Other)?

No other agencies share data or have access to the EAS. If the data is entered into the EEOC IMS, state and local government Fair Employment Practices Agencies may have restricted access to the data through the IMS, for related complaint processing purposes.

12. How will the system ensure that agencies only get the information they are entitled to under applicable statutes or regulations?

Other agencies do not have access to the EAS.

Attributes of the Data

13. Is the use of the data both relevant and necessary to the purpose for which the system is being designed?

Yes.

14. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?

The EAS does not derive new data about an individual.

14.1. Will the new data be placed in the individualís record?

Not applicable.

14.2. Can the system make determinations about individuals that would not be possible without the new data?

Not applicable.

14.3. How will the new data be verified for relevance and accuracy?

Not applicable.

15. If data is being consolidated, what controls are in place to protect the data from unauthorized access or use?

Data is not consolidated from external sources. Individual records are maintained within a centralized database system. The application is hosted in a secure environment protected by the appropriate fire walls, security certificates, encryption, IT infrastructure and internal controls. Intrusion detection, as well as other security controls, is implemented. A third-party IT security risk assessment was conducted on the application prior to release.

15.1. If processes are being consolidated, are the proper controls remaining in place to protect the data and prevent unauthorized access? Explain.

Not applicable.

16. How will the data be retrieved? Can it be retrieved by personal identifier? If yes, explain. What are the potential effects on the due process rights of individuals: consolidation and linkage of files and systems; derivation of data; accelerated information processing and decision making; use of new technologies. How are the effects to be mitigated?

If the user (complainant) elects to save their information prior to submitting the information to EEOC for process, the user may access his or her information via a system generated ID and password pair for up to 14 days. Data retrieval is only allowed via entry of the system generated login/password combination. EEOC staff may retrieve EAS data upon access to the system and entry of the complainant's name, questionnaire number, or submission date.

The EAS represents an alternative mechanism for potential Charging Parties to make initial contact with Commission. The EAS and its attendant technologies present no new potential challenges to the due process rights of the complaints. The EAS assessment module has undergone a legal sufficiency review to ensure compliance with federal statutes. Information on how to directly contact EEOC is provided to the user, should the user have any questions about the assessment.

Maintenance of Administrative Controls

17. Explain how the system and its use will ensure equitable treatment of individuals. If the system is operated in more than one site, how will consistent use of the system and data be maintained in all sites?

The EAS uses automated, response driven logic, thereby ensuring equitable treatment by all users. It is a web-based, centrally located system.

17.1. Explain any possibility of disparate treatment of individuals or groups.

The EAS requires access to the Internet for direct use. The EAS is fully compliant with the standards outlined in Section 508 of the Rehabilitation Act of 1973, thereby ensuring equal access to information for individuals with disabilities. While this system will serve to expand EEOCís presence over the Internet and provide an alternative way for the public to electronically communicate with and receive services from the EEOC, full agency services will continue to be available through the EEOC headquarters and 51 field office locations via telephone, walk-in, mail-in, and fax. In addition, our NCC will continue to administer the EAS to individuals who contact EEOC via our 1-800 telephone number, to include translation and TTY services, as required.

18. What are the retention periods of data in this system?

User selections in the assessment component, which do not result in the submission of information to the EEOC, are only retained for the life of the session. Questionnaire data that is saved by the user, but not submitted to the EEOC for processing, is retained for 14 days. Retention periods for submitted questionnaires will be at least one year.

18.1. What are the procedures for eliminating the data at the end of the retention period? Where are the procedures documented?

These procedures are system functions described in the system documentation.

18.2. While the data is retained in the system, what are the requirements for determining if the data is still sufficiently accurate, relevant, timely, and complete to ensure fairness in making determinations?

The EAS serves as a conduit for the movement of initial contact information from the potential charging party to EEOC investigative staff. Apart from testing for completeness of user responses prior to submission to the EEOC and timely action on the part of Commission personnel in following up on the submitted information, the data maintained in the EAS is not accessed or used again as a part of the formal complaint process.

19. Is the system using technologies in ways that the EEOC has not previously employed?